Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64.

Fix unreachable code in ssl set options code.

Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup.

Fix crash after reload where a stats lookup could reference old key cache and neg cache structures.

Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. It was superceded by #151, the unbound_portable.service file.

Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies.

iana portlist updated.

Fix to silence the tls handshake errors for broken pipe and reset by peer, unless verbosity is set to 2 or higher.

Add new configure option `--enable-fully-static` to enable full static build if requested; in relation to #91.

Add make distclean that removes everything configure produced, and make maintainer-clean that removes bison and flex output.

unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that are 1:1 replacements for unbound-fuzzme.c that gets created after applying the contrib/unbound-fuzzme.patch. They are contributed by Eric Sesterhenn from X41 D-Sec.

squelch DNS over TLS errors 'ssl handshake failed crypto error' on low verbosity, they show on verbosity 3 (query details), because there is a high volume and the operator cannot do anything for the remote failure. Specifically filters the high volume errors.

For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements.

Fix #59, when compiled with systemd support check that we can properly communicate with systemd through the `NOTIFY_SOCKET`.

iana portlist updated.

Fix autotrust temp file uniqueness windows compile.

avoid warning about upcast on 32bit systems for autotrust.

escape commandline contents for -V.

Fix character buffer size in ub_ctx_hosts.

Option -V prints if TCP fastopen is available.

Fix unittest valgrind false positive uninitialised value report, where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 issues an uninitialised value for the token buffer at the str2wire.c rrinternal_get_owner() strcmp with the '@' value. Rewritten to use straight character comparisons removes the false positive. Also valgrinds --expensive-definedness-checks=yes can stop this false positive.

Fix #30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security checkable, and is better for security. It is fixed to be slower, but not read outside of the array.

Fix edns-subnet locks, in error cases the lock was not unlocked.

Fix doxygen output error on readme markdown vignettes.

Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values for diagnosing network connectivity issues.

Patch from Florian Obser fixes some compiler warnings: include mini_event.h to have a prototype for mini_ev_cmp include edns.h to have a prototype for apply_edns_options sldns_wire2str_edns_keepalive_print is only called in the wire2str, module declare it static to get rid of compiler warning: no previous prototype for function infra_find_ip_ratedata() is only called in the infra module, declare it static to get rid of compiler warning: no previous prototype for function do not shadow local variable buf in authzone auth_chunks_delete and az_nsec3_findnode are only called in the authzone module, declare them static to get rid of compiler warning: no previous prototype for function... copy_rrset() is only called in the respip module, declare it static to get rid of compiler warning: no previous prototype for function 'copy_rrset' no need for another variable "r"; gets rid of compiler warning: declaration shadows a local variable in libunbound.c no need for another variable "ns"; gets rid of compiler warning: declaration shadows a local variable in iterator.c

Features

Fix #___4154___/bugs-script/show_bug.cgi?id=4154___: make ECS_MAX_TREESIZE configurable, with the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.

Fix #___4190___/bugs-script/show_bug.cgi?id=4190___: Please create a "ANY" deny option, adds the option deny-any: yes in unbound.conf. This responds with an empty message to queries of type ANY.

Fix #___4126___/bugs-script/show_bug.cgi?id=4126___: RTT_band too low on VSAT links with 600+ms latency, adds the option unknown-server-time-limit to unbound.conf that can be increased to avoid the problem.

Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.

Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf.

Unbound 1.8.1

Features

Perform TLS SNI indication of the host that is being contacted for DNS over TLS service. It sets the configured tls auth name. This is useful for hosts that apart from the DNS over TLS services also provide other (web) services.

Bug Fixes

More explicitly mention the type of ratelimit when applying ip-ratelimit.

Unbound 1.8.0

Features

unbound-control auth_zone_transfer _zone_ option starts the probe sequence for a master to transfer the zone from and transfers when a new zone version is available.

num.queries.tls counter for queries over TLS.

log port number with err_addr logs.

dns64-ignore-aaaa: config option to list domain names for which the existing AAAA is ignored and dns64 processing is used on the A record.

Fix #___4112___/bugs-script/show_bug.cgi?id=4112___: Fix that unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled. New option -R allows fallback from resolv.conf to direct queries.

Note RFC8162 support. SMIMEA record type can be read in by the zone record parser.

Add delay parameter to streamtcp, -d secs. To be used when testing idle timeout.

Expose if a query (or a subquery) was ratelimited (not src IP ratelimiting) to libunbound under 'ub_result.was_ratelimited'. This also introduces a change to 'ub_event_callback_type' in libunbound/unbound-event.h.

Patch to implement tcp-connection-limit from Jim Hague (Sinodun). This limits the number of simultaneous TCP client connections from a nominated netblock.

#___4140___/bugs-script/show_bug.cgi?id=4140___: Expose repinfo (comm_reply) to the inplace_callbacks. This gives access to reply information for the client's communication point when the callback is called before the mesh state (modules). Changes to C and Python's inplace_callback signatures were also necessary.

Set defaults to yes for a number of options to increase speed and resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache.

Unbound 1.7.3

Features

#4102 for NSD, but for Unbound. Named unix pipes do not use certificate and key files, access can be restricted with file and directory permissions. The option control-use-cert is no longer used, and ignored if found in unbound.conf.

Rename tls-additional-ports to tls-additional-port, because every line adds one port.

Unbound 1.7.1

Features

Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox).

Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr.

Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@853#dns.quad9.net or 1.1.1.1@853#cloudflare-dns.com

list_auth_zones unbound-control command.

Added root-key-sentinel support

Bug Fixes

Fix #___3727___/bugs-script/show_bug.cgi?id=3727___: Protocol name is TLS, options have been renamed but documentation is not consistent.

Accept tls-upstream in unbound.conf, the ssl-upstream keyword is also recognized and means the same. Also for tls-port, tls-service-key, tls-service-pem, stub-tls-upstream and forward-tls-upstream.

[dnscrypt] introduce dnscrypt-provider-cert-rotated option, from Manu Bretelle. This option allows handling multiple cert/key pairs while only distributing some of them. In order to reliably match a client magic with a given key without strong assumption as to how those were generated, we need both key and cert. Likewise, in order to know which ES version should be used. On the other hand, when rotating a cert, it can be desirable to only serve the new cert but still be able to handle clients that are still using the old certs's public key. The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not publish the cert as part of the DNS's provider_name's TXT answer.

Fix #___2882___/bugs-script/show_bug.cgi?id=2882___: Unbound behaviour changes (wrong) when domain-insecure is set for stub zone. It no longer searches for DNSSEC information.

Fix #___3299___/bugs-script/show_bug.cgi?id=3299___: forward CNAME daisy chain is not working

Fix link failure on OmniOS.

Check whether --with-libunbound-only is set when using --with-nettle or --with-nss.

Fix qname-minimisation documentation (A QTYPE, not NS)

Fix that DS queries with referral replies are answered straight away, without a repeat query picking the DS from cache. The correct reply should have been an answer, the reply is fixed by the scrubber to have the answer in the answer section.

Fix that expiration date checks don't fail with clang -O2.

Fix queries being leaked above stub when refetching glue.

Copy query and correctly set flags on REFUSED answers when cache snooping is not allowed.

Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason.

Unbound 1.6.5

Bug Fixes

Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes the root.key file if created when unbound is installed between sep11 and oct11 2017.

Fix #___1280___/bugs-script/show_bug.cgi?id=1280___: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.

Unbound 1.6.3

Bug Fixes

Fix #___1280___/bugs-script/show_bug.cgi?id=1280___: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly.

Unbound 1.6.1

Features

configure --enable-systemd and lets unbound use systemd sockets if you enable use-systemd: yes in unbound.conf. Also there are contrib/unbound.socket and contrib/unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.

Added two flags to module_qstate (no_cache_lookup, no_cache_store) that control the modules' cache interactions.

Added code for registering inplace callback functions. The registered functions can be called just before replying with local data or Chaos, replying from cache, replying with SERVFAIL, replying with a resolved query, sending a query to a nameserver. The functions can inspect the available data and maybe change response/query related data (i.e. append EDNS options).

Updated Python module for the above.

Updated Python documentation.

Added views functionality.

Added qname-minimisation-strict config option.

Patch that resolves CNAMEs entered in local-data conf statements that point to data on the internet, from Jinmei Tatuya (Infoblox).

Fix #___1134___/bugs-script/show_bug.cgi?id=1134___: unbound-control set_option -- val-override-date: -1 works immediately to ignore datetime, or back to 0 to enable it again. The -- is to ignore the '-1' as an option flag.

Patch for server.num.zero_ttl stats for count of expired replies, from Pavel Odintsov.

Fix failure to build on arm64 with no sbrk.

Set OpenSSL security level to 0 when using aNULL ciphers.

configure detects ssl security level API function in the autoconf manner. Every function on its own, so that other libraries (eg. LibreSSL) can develop their API without hindrance.

Fix unbound sets CD bit on all forwards. If no trust anchors, it'll not set CD bit when forwarding to another server. If a trust anchor, no CD bit on the first attempt to a forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.

Limit number of QNAME minimisation iterations.

Validate QNAME minimised NXDOMAIN responses.

If QNAME minimisation is enabled, do cache lookup for QTYPE NS in harden-below-nxdomain.

Fix compile of getentropy_linux for SLES11 servicepack 4.

Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.

Fix test for openssl to use HMAC_Update for 1.1.0.

ERR_remove_state deprecated since openssl 1.0.0.

OPENSSL_config is deprecated, removing.

Document permit-small-holddown for 5011 debug.

Fix unbound-checkconf gets SIGSEGV when use against a malformatted conf file.

Unbound 1.5.6

Features

Default for ssl-port is port 853, the temporary port assignment for secure domain name system traffic. If you used to rely on the older default of port 443, you have to put a clause in unbound.conf for that. The new value is likely going to be the standardised port number for this traffic.

ANY responses include DNAME records if present, as per Evan Hunt's remark in dnsop.

Unbound 1.5.4

Features

Fix #___644___/bugs-script/show_bug.cgi?id=644___: harden-algo-downgrade option, if turned off, fixes the reported excessive validation failure when multiple algorithms are present. If set to 'no', it allows the weakest algorithm to validate the zone.

ratelimit feature, ratelimit: 1000, can be used to turn it on. It ratelimits recursion effort per zone. For particular names you can configure exceptions in unbound.conf.

Ratelimit does not apply to prefetched queries, and ratelimit-factor is default 10. Repeated normal queries get resolved and with prefetch stay in the cache.

unbound-control ratelimit_list lists high rate domains.

caps-whitelist in unbound.conf allows whitelist of loadbalancers that cannot work with caps-for-id or its fallback.

RFC 7553 RR type URI support, is now enabled by default.

cache-max-negative-ttl config option, default 3600.

Add local-zone type inform_deny, that logs query and drops answer.

Bug Fixes

Unbound exits with a fatal error when the auto-trust-anchor-file fails to be writable. This is seconds after startup. You can load a readonly auto-trust-anchor-file with trust-anchor-file. The file has to be writable to notice the trust anchor change, without it, a trust anchor change will be unnoticed and the system will then become inoperable.

DLV is going to be decommissioned. Advice to stop using it, and put text in the example configuration and man page to that effect.

Patch from Brad Smith that syncs compat/getentropy_linux with OpenBSD's version (2015-03-04).

0x20 fallback improved: servfail responses do not count as missing comparisons (except if all responses are errors), inability to find nameservers does not fail equality comparisons, many nameservers does not try to compare more than max-sent-count, parse failures start 0x20 fallback procedure.

store caps_response with best response in case downgrade response happens to be the last one.

unbound-control stats prints num.query.tcpout with number of TCP outgoing queries made in the previous statistics interval.

Patch from Jeremie Courreges-Anglas to use arc4random_uniform if available on the OS, it gets entropy from the OS.

Add unbound-control flush_negative that flushed nxdomains, nodata, and errors from the cache. For dnssec-trigger and NetworkManager, fixes cases where network changes have localdata that was already negatively cached from the previous network.

arc4random in compat/ and getentropy, explicit_bzero, chacha for dependencies, from OpenBSD. arc4_lock and sha512 in compat. This makes arc4random available on all platforms, except when compiled with LIBNSS (it uses libNSS crypto random).

Patch from Dag-Erling Smorgrav that implements that: unbound -dd does not fork in the background and also logs to stderr.

DNS64 from Viagenie (BSD Licensed), written by Simon Perrault. Initial commit of the patch from the FreeBSD base (with its fixes). This adds a module (for module-config in unbound.conf) dns64 that performs DNS64 processing, see README.DNS64.

DNSTAP support, with a patch from Farsight Security, written by Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c. It is BSD licensed (see dnstap/dnstap.c). Also --with-libfstrm and --with-protobuf-c configure options.

type CDS and CDNSKEY types.

Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue is longer and more tcp connections can be handled.

Fix unbound lists if forward zone is secure or insecure with +i annotation in output of list_forwards, also for list_stubs (for NetworkManager integration). And remove ':' from output of stub and forward lists, this is easier to parse.

Fix use unsigned long to print 64bit statistics counters on 64bit systems.

Fix failed prefetch lookup does not remove cached response but delays next prefetch (in lieu of caching a SERVFAIL).

Fix improved logging, the ip address of the error is printed on the same log-line as the error.

Fix explain that do-ip6 disable does not stop AAAA lookups, but it stops the use of the ipv6 transport layer for DNS traffic.

Fix compile with libevent2 on FreeBSD.

Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.

Fixup out-of-directory compile with unbound-control-setup.sh.in.

Code cleanup patch from Dag-Erling Smorgrav, with compiler issue fixes from FreeBSD's copy of Unbound, he notes: Generate unbound-control-setup.sh at build time so it respects prefix and sysconfdir from the configure script. Also fix the umask to match the comment, and the comment to match the umask. Add const and static where needed. Use unions instead of playing pointer poker. Move declarations that are needed in multiple source files into a shared header. Move sldns_bgetc() from parse.c to buffer.c where it belongs. Introduce a new header file, worker.h, which declares the callbacks that all workers must define. Remove those declarations from libworker.h. Include the correct headers in the correct places. Fix a few dummy callbacks that don't match their prototype. Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK. Remove a useless printf which breaks reproducible builds. Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're no longer used. Add unbound-control-setup.sh to the list of generated files. The prototype for libworker_event_done_cb() needs to be moved from libunbound/libworker.h to libunbound/worker.h.

so-reuseport: yesno option to distribute queries evenly over threads on Linux (Thanks Robert Edmonds). Reuseport is attempted, then fallback to without on failure.

delay-close: msec option that delays closing ports for which the UDP reply has timed out. Keeps the port open, only accepts the correct reply. This correct reply is not used, but the port is open so that no port-denied ICMPs are generated.

Bug Fixes

Fix if very high logging (4 or more) segfault on allow_snoop.

Fix Set SO_REUSEADDR so that the wildcard interface and a more specific interface port 53 can be used at the same time, and one of the daemons is unbound.

if configured --with-libunbound-only fix make install.

Patch from Neel Goyal to fix callback in libunbound.

Patch from Neel Goyal to fix async id assignment if callback is called by libunbound in the mesh attach.

Fix compile python plugin without ldns library.

Windows port, adjust %lld to %I64d, and warning in win_event.c.

Fixed +i causes segfault when running with module conf "iterator".

Fix no trustanchor written if filesystem full, fclose checked.

unbound-event.h is installed if you configure --enable-event-api. It contains low-level library calls, that use libevent's event_base and a wireformat return packet in a buffer to perform async resolution in the client's eventloop.

Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is received. This is okay according 4035, but not after revising existence in 4592. NSEC empty non-terminals exist and thus the RCODE should have been NOERROR. If this occurs, and the RRsets are secure, we set the RCODE to NOERROR and the security status of the response is also considered secure.

iana portlist updated.

contrib/cacti plugin did not report SERVFAIL rcodes because of spelling. Patch from Chris Coates.

Make reverse zones easier by documenting the nodefault statements commented-out in the example config file.

Bug Fixes

committed libunbound version 4:1:2 for binary API updated in 1.4.20

Fix for 2038, with time_t instead of uint32_t.

Fix resolve of names that use a mix of public and private addresses.

Fix endianness detection, revert to older lookup3.c detection and put new detect lines after previous tests, to avoid regressions but allow new detections to succeed. And add detection for machine/endian.h to it.

Fix queries leaking up for stubs and forwards, if the configured nameservers all fail to answer.

unbound-anchor review: BIO_write can return 0 successfully if it has successfully appended a zero length string.

Fix so that for a configuration line of include: "*.conf" it is not an error if there are no files matching the glob pattern.

Unbound 1.4.19

Features

RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled. The contrib/patch_rsamd5_enable.diff patch enables RSAMD5 validation otherwise it is treated as insecure. The MD5 hash is considered weak for some purposes, if you want to sign your zone, then RSASHA256 is an uncontested hash.

Unbound 1.4.17

Features

unbound-control forward_add, forward_remove, stub_add, stub_remove can modify stubs and forwards for running unbound they can also add and remove domain-insecure for the zone. This is to support reconfiguration of a DNSSEC validator on a computer that changes networks and has to enable new network config for the new location.

new approach to NS fetches for DS lookup that works with cornercases, and is more robust and considers forwarders.

Fix to squelch 'network unreachable' errors from tcp connect in logs, high verbosity will show them.

Fix prefetch and sticky NS ghost domain. It picks nameservers that 'would be valid in the future', and if this makes the NS timeout, it updates that NS by asking delegation from the parent again. If child NS has longer TTL, that TTL does not get refreshed from the lookup to the child nameserver.

RT#2955 Fix for cygwin compilation.

Slightly smaller critical region in one case in infra cache.

Fix timeouts to keep track of query type, A, AAAA and other, if another has caused timeout blacklist, different type can still probe.

unit test fix for nomem_cnametopos.rpl race condition.

fix memory leak in errorcase for DSA signatures.

workaround for openssl 0.9.8 ecdsa sha2 and evp problem.

fix for windows, rename() is not posix compliant on windows.

iana portlist updated

Unbound 1.4.16

Features

applied patch to support outgoing-interface with ub_ctx_set_option.

Bug Fixes

Fix validation failures (like: validation failure xx: no NSEC3 closest encloser from yy for DS zz. while building chain of trust, because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata for an NSEC3. Now it does not change rdata, and fixes TTL.

Fix version-number in libtool to be version-info so it produces libunbound.so.2 like it should.

Fixes for port to OpenIndiana OS with gcc 4.6.

Fix to write key files completely to a temporary file, and if that succeeds, replace the real key file. So failures leave a useful file.

Unbound 1.4.15

Bug Fixes

Fix for memory leak (about 20 bytes when a tcp or udp send operation towards authority servers failed, takes about 50.000 such failures to leak one Mb, such failures are also usually logged), reported by Robert Fleischmann.

Unbound 1.4.14

Features

dns over ssl support as a client, ssl-upstream yes turns it on. It performs an SSL transaction for every DNS query.

dns over ssl support as a server, ssl-service-pem and ssl-service-key files can be given and then TCP queries are serviced wrapped in SSL.

lame-ttl and lame-size options no longer exist, it is integrated with the host info. They are ignored (with verbose warning) if encountered to keep the config file backwards compatible.

TCP-upstream calculates tcp-ping so server selection works if there are alternatives.

Unbound probes at EDNS1480 if there an EDNS0 timeout.

Bug Fixes

Fix for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence http://www.unbound.net/downloads/CVE-2011-4528.txt

Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes SERVFAILs. Also fixed for UDP (but less likely).

Fix quartile time estimate, it was too low, (thanks Jan Komissar).

Fix double free in unbound-host, reported by Steve Grubb.

fix -flto detection on Lion for llvm-gcc.

Infra cache stores information about ping and lameness per IP, zone.

Fix resolve of partners.extranet.microsoft.com with a fix for the server selection for choosing out of a (particular) list of bad choices.

Fix make_new_space function so that the incoming query is not overwritten if a jostled out query causes a waiting query to be resumed that then fails and sends an error message. (Thanks to Matthew Lee).

Fix for out-of-memory condition in libunbound (thanks Robert Fleischman).

Fix --enable-allsymbols, it depended on link specifics of the target platform, or fptr_wlist assertion failures could occur. The feature is disabled on windows.

updated contrib/unbound_munin_ to family=auto so that it works with munin-node-configure automatically (if installed as /usr/local/share/munin/plugins/unbound_munin_ ).

unbound.exe -w windows option for start and stop service.

Fix classification of NS set in answer section, where there is a parent-child server, and the answer has the AA flag for dir.slb.com. Thanks to Amanda Constant from Secure64.

accept patch from Steve Snyder that comments out unused functions in lookup3.c.

fix various compiler warnings (reported by Paul Wouters).

max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch if sentcount > 3, stop query if sentcount > 16. Count is reset when referral or CNAME happens. This makes unbound better at managing large NS sets, they are explored when there is continued interest (in the form of queries).

remove uninit warning from cachedump code.

Fix parse error on negative SOA RRSIGs if badly ordered in the packet.

Unbound 1.4.13

Features

Note that Unbound implements RFC6303 (since version 1.4.7).

tcp-upstream yes/no option (works with set_option) for tunnels.

The format of answers to the qtype ANY with a CNAME have changed, so that there can be proper validated DNSSEC answers for them. This is for queries with qtype ANY where the domain name has a CNAME. Now an answer is returned, where before it resulted in SERVFAIL due to validation failure. When DNSSEC validation is disabled, the contents of the response have changed: the CNAME is not followed, and the correct contents of the RRsets at the initial name are included (where previously only partial contents of the initial names could have been included but the CNAME was followed). The qtype ANY is a query for debug where the resolver is to fill in relevant data that happens to be at hand from the cache.

Bug Fixes

Fix validation of qtype ANY responses with CNAMEs (thanks Cathy Zhang and Luo Ce). Unbound responds with the RR types that are available at the name for qtype ANY and validates those RR types. It does not test for completeness (i.e. with NSEC or NSEC3 query), and it does not follow the CNAME or DNAME to another name (with even more data for the already large response)

queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators.

val-override-date: -1 ignores dates entirely, for NTP usage.

harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec.

remove ITAR scripts from contrib, the service is discontinued, use the root.

Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.

algorithm compromise protection using the algorithms signalled in the DS record. Also, trust anchors, DLV, and RFC5011 receive this, and thus, if you have multiple algorithms in your trust-anchor-file then it will now behave different than before. Also, 5011 rollover for algorithms needs to be double-signature until the old algorithm is revoked.

squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them)

fix validation in this case: CNAME to nodata for co-hosted opt-in NSEC3 insecure delegation, was bogus, fixed to be insecure.

Unbound 1.4.7

Features

unbound-anchor app, unbound requires libexpat (xml parser library). It creates or updates a root.key file. Use it before you start the validator (e.g. at system boot time).

dump_infra and flush_infra commands for unbound-control.

Bug Fixes

GOST code enabled by default (RFC 5933).

Configure detects libev-4.00.

do not synthesize a CNAME message from cache for qtype DS.

Use central entropy to seed threads.

Change the rtt used to probe EDNS-timeout hosts to 1000 msec.

Fix validation failure for parent and child on same server with an insecure childzone and a CNAME from parent to child.

Change of timeout code. No more lost and backoff in blockage. At 12sec timeout (and at least 2x lost before) one probe per IP is allowed only. At 120sec, the IP is blocked. After 15min, a 120sec entry has a single retry packet.

(ports and works on Minix 3.1.7). On Minix, add /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.

GOST enabled if SSL is recent and ldns has GOST enabled too.

Bug Fixes

Fix TCPreply on systems with no writev, if just 1 byte could be sent.

Fix to use one pointer less for iterator query state store_parent_NS.

Max referral count from 30 to 130, because 128 one character domains is valid DNS.

added documentation for the histogram printout to syslog.

Fix assertion failure reported by Kai Storbeck from XS4ALL, the assertion was wrong.

updated ldns tarball.

iana portlist updated.

Unbound reports libev or libevent correctly in logs in verbose mode.

Fix handling of corner case reply from lame server, follows rfc2308. It could lead to a nodata reply getting into the cache if the search for a non-lame server turned up other misconfigured servers.

Fix jostle list bug found by Vince (luoce at cnnic), it caused the qps in overload situations to be about 5 qps for the class of shortly serviced queries. The capacity of the resolver is then about (numqueriesperthread / 2) / (average time for such long queries) qps for long queries. And about (numqueriesperthread / 2)/(jostletimeout in whole seconds) qps for short queries, per thread.

Fix the max number of reply-address count to be applied for duplicate queries, and not for new query list entries. This raises the memory usage to a max of (16+1)*numqueriesperthread reply addresses.

Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex must be signed with all algorithms from the DS rrset at the parent. This is now checked and becomes bogus if not.

Fix validation of qtype DNSKEY when a key-cache entry exists but no rr-cache entry is used (it expired or prefetch), it then goes back up to the DS or trust-anchor to validate the DNSKEY.

log if a server is skipped because it is on the donotquery list, at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.

Changed the defaults for num-queries-per-thread/outgoing-range. For builtin-select: 512/960, for libevent 1024/4096 and for windows 24/48 (because of win api). This makes the ratio this way to improve resilience under heavy load. For high performance, use libevent and possibly higher numbers.

Fix if libev is installed on the base system (not libevent), detect it from the event.h header file and link with -lev.

Fix configlexer.lex gets config.h, and configyyrename.h added by make, no more double include.

More strict scrubber (Thanks to George Barwood for the idea): NS set must be pertinent to the query.

In 0x20 backoff fix fallback so the number of outstanding queries does not become -1 and block the request. Fixed handling of recursion-lame in combination with 0x20 fallback. Fix so RRsets are compared canonicalized and sorted if the immediate comparison fails, this makes the 0x20 option work around round-robin sites.

Fix retry sequence if prime hints are recursion-lame.

Fix so harden-referral-path does not result in failures due to max-depth. You can increase the max-depth by adding numbers (' 0') after the target-fetch-policy, this increases the depth to which is checked.

Fix detection of GOST support in ldns (reported by Chris Smith).

Fix for dnssec lameness detection to use the key cache.

infra cache entries that are expired are wiped clean. Previously it was possible to not expire host data (if accessed often).

Fix dnssec-missing detection that was turned off by server selection.

Fix spelling error in variable name in parser and lexer.

Fix various compiler warnings from the clang llvm compiler.

Fix comments in iter_utils:dp_is_useless.

EDNS timeout code will not fire if EDNS status already known.

EDNS failure not stored if EDNS status known to work.

Parent-child disagreement approach altered. Older fixes are removed in place of a more exhaustive search for misconfigured data available via the parent of a delegation. This is designed to be throttled by cache entries, with TTL from the parent if possible. Additionally the loop-counter is used. It also tests for NS RRset differences between parent and child. The fetch of misconfigured data should be more reliable and thorough. It should work reliably even with no or only partial data in cache. Data received from the child (as always) is deemed more authoritative than information received from the delegation parent. The search for misconfigured data is not performed normally.

Fix AD flag handling, it could in some cases mistakenly copy the AD flag from upstream servers.

Ignore Z flag in incoming messages too.

alloc_special_obtain out of memory is not a fatal error any more, enabling unbound to continue longer in out of memory conditions.

Parentside names are dispreferred but not said to be dnssec-lame.

Fix parentside and querytargets modulestate, for dump_requestlist.

unbound-control-setup makes keys -rw-r--- so not all users permitted.

libtoolize 2.2.6b, autoconf 2.65 applied to configure.

Fix compile warning if compiled without threads.

iana portlist updated.

included ldns tarball updated.

Fix bug where a long loop could be entered, now cycle detection has a loop-counter and maximum search amount.

Unbound 1.4.4

Features

Experimental ECC-GOST algorithm support, needs openssl-1.0.0 and currently needs ldns from svn trunk. Uses ECC-GOST algorithm number 12 (assigned by IANA). As the RFC is written, we intend to make it optional, because a dependency on openssl-1.0.0 is hard across distributions right now.

unbound-host disables use-syslog from config file so that the config file for the main server can be used more easily.

Include less in config.h and include per code file for ldns, ssl.

Bug Fixes

pkt_dname_tolower could read beyond end of buffer or get into an endless loop, if 0x20 was enabled, and buffers are small or particular broken packets are received.

Fix chain of trust with CNAME at an intermediate step, for the DS processing proof.

Fix validation of queries with wildcard names (*.example).

Fix EDNS probe for .de DNSSEC testbed failure, where the infra cache timeout coincided with a server update, the current EDNS backoff is less sensitive, and does not cache the backoff unless the backoff actually works and the domain is not expecting DNSSEC.

unbound control flushed items are not counted when flushed again.

iana portlist updated.

unbound-checkconf could not parse interface '0.0.0.0@5353', even though unbound itself worked fine.

Fixed random numbers for port, interface and server selection. Removed very small bias.

Refer to the listing in unbound-control man page in the extended statistics entry in the unbound.conf man page.

prefetch-key option that performs DNSKEY queries earlier in the validation process, and that could halve the latency on DNSSEC queries. It takes some extra processing (CPU, a cache is needed).

prefetch option that prefetches popular queries before they expire.

change unbound-control-setup from 1024(sha1) to 1536(sha256).

Bug Fixes

Re-query pattern changed on validation failure. To protect troubled authority servers, unbound caches a failure for the DNSKEY or DS records for the entire zone, and only retries that 900 seconds later. This implies that only a handful of packets are sent extra to the authority if the zone fails. We made the choice to send out more conservatively, protecting against an aggregate effect more than protecting a single user (from their own folly, perhaps in case of misconfig).

No more blacklisting of unresponsive servers, a 2 minute timeout is backed off to.

RD flag not enabled for dnssec-blacklisted tries, unless necessary.

log 'tcp connect: connection timed out' only in high verbosity.

Disregard DNSKEY from authority section for chain of trust. DS records that are irrelevant to a referral scrubbed. Anti-poison.

Check for 'no space left on device' (or other errors) when writing updated autotrust anchors and print errno to log.

Fixup in compat snprintf routine, %f 1.02 and %g support.

include math.h for testbound test compile portability.

Updated url of IANA itar, interim trust anchor repository, in script.

configure test for memcmp portability.

removed warning on format string in validator error log statement.

libtool finish the install of unbound python dynamic library.

Fixup lookup trouble for parent-child domains on the first query.

Fixup ldns detection to also check for header files.

Fix unbound-checkconf for auto-trust-anchor-file present checks.

Fix for parent-child disagreement code which could have trouble when (a) ipv6 was disabled and (b) the TTL for parent and child were different. There were two bugs, the parent-side information is fixed to no longer block lookup of child side information and the iterator is fixed to no longer attempt to get ipv6 when it is not enabled and then give up in failure.

Unbound 1.4.0

Features

RFC 5702: RSASHA256 and RSASHA512 support enabled by default. Please use openssl 0.9.8 or later, that provide sha256 and sha512.

included ldns tarball updated (which also enables rsasha256 support).

val-log-level: 2 shows extended error information for validation failures, one line per failure. For example: validation failure <example.com. DNSKEY IN>: signature expired from 192.0.2.4 for trust anchor example.com. while building chain of trust

Made new validator error string available from libunbound for applications. It is in result->why_bogus, a zero-terminated string. unbound-host prints it by default if a result is bogus. Also the errinf is public in module_qstate (for other modules).

retry on DNSSEC failures, query other servers, unbound works harder to get valid DNSSEC data.

so-rcvbuf: 4m option added. Set this on large busy servers to not drop the occasional packet in spikes due to full socket buffers. netstat -su keeps a counter of UDP dropped due to full buffers.

auto-trust-anchor-file option with RFC5011 support, code from the NLnet Labs autotrust project(BSD license), is incorporated. In this way unbound can support trust anchor revocation properly, even revocation back to the unsigned state. It can read normal anchor files or autotrust files initially, after probing the file is written to in a format specific to unbound.

use linebuffering for log-file: output, this can be significantly faster than the previous fflush method and enable some class of resolvers to use high verbosity (for short periods). Not on windows, because line buffering does not work there.

Patch from Zdenek Vasicek and Attila Nagy for using the source IP from python scripts. See pythonmod/examples/resip.py.

Got a patch from Luca Bruno for libunbound support on windows to pick up the system resolvconf nameservers and hosts there.

call OPENSSL_config() in unbound and unit test so that the operator can use openssl.cnf for configuration options.

Experimental support (disabled by default) for GOST for unofficial algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested to work with openssl-1.0.0beta and correct for examples in -01 draft.

edns-buffer-size option, default 4096. Can be set to 1480 in case of DNS UDP fragments not arriving from authority servers.

iana portlist updated.

contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the IANA ITAR into individual key files that can be tracked with auto-trust-anchor-file.

Unbound 1.3.4

Bug Fixes

Fixed bug in NSEC3 validation handling code: Under specific circumstances checks of signatures over NSEC3 records are not done. As a result carefully crafted delegation responses (created through exploiting general DNS vulnerabilities such as DNS packet spoofing) can be used to downgrade an existing secure delegation to insecure. Unbound users who depend on DNSSEC validation are advised to upgrade.

Bug Fixes

Unbound 1.3.1

Features

unbound_munin_ in contrib uses ps to show total memory rss if sbrk hack does not work.

Added build-unbound-localzone-from-hosts.pl to contrib, from Dennis DeDonatis. It converts /etc/hosts into config statements.

Bug Fixes

Fixup potential wrong NSEC picked out of the cache.

If unfulfilled callbacks are deleted they are called with an error.

fwd above stub in configuration works.

removed random whitespace from example.conf.

Fixed bug where cached responses would lose their security status on second validation, which especially impacted dlv lookups. Reported by Hauke Lampe.

Fixup opportunistic target query generation to it does not generate queries that are known to fail.

harden-referral-path: handle cases where NS is in answer section.

updated fedora specfile in contrib from Paul Wouters.

Fix EDNS fallback when EDNS works for short answers but long answers are dropped.

On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to avoid dropped packets at routers.

Fix of message parse bug where (specifically) an NSEC and RRSIG in the wrong order would be parsed, but put wrongly into internal structures so that later validation would fail.

Queries for type DS when forward or stub zones are there. They are performed to higherup domains, and thus treated as if going to higher zones when looking up the right forward or stub server. This makes a stub pointing to a local server that has a local view of example.com signed with the same keys as are publicly used work. Reported by Johan Ihren.

same thing fixed for forward-zone and DS, chain of trust from public internet into the forward-zone works now.

flush_type and flush_name remove message cache entries as well, so they remove errors from the cache as well

delegationpoint bogus flag copied fix

openssl key files are opened 'apache-style', from user root and before the chroot. This makes permissions on remote-control key files easier.

Unbound 1.3.0

Features

Major features are Windows port, and Python contribution. Previous releases accidentally enabled experimental rsasha256 algorithms, fixed, see below. There are minor features and bug fixes too.

initgroups(3) is called to drop secondary group permissions, if this OS functionality is available.

daemon(3) posix call is used when available

configure option --with-ldns-builtin forces the use of the inluded ldns package with the unbound source. The -I include is put before the others, so it avoids bad include files from an older ldns install.

--enable-sha2 option for rsasha256 and rsasha512 support (experimental because it is still in working group draft stage). Default is off. Previous releases accidentally enabled this feature when lib openssl supported SHA256. It then used algorithms 8, 9 for RSASHA256 and 10, 11 for RSASHA512 (using four numbers as was according to the draft spec at that time). The earlier versions support NSEC and NSEC3 for all these algorithm numbers. People with these earlier versions may also have earlier openssl versions (0.9.7), and therefore the experimental feature is disabled. As long as these signing algorithm code points are not allocated, there is no problem. You are advised to upgrade to the current version to avoid surprises.

new option log-time-ascii: yes if you enable it prints timestamps in the log file as Feb 06 13:45:26 (like syslog does).

verbosity level 5 logs customer IP for new requestlist entries.

contrib contains specfile for fedora 1.2.1 (from Paul Wouters).

call setusercontext() if available (on BSD)

Added stats_noreset feature for unbound-control.

Added flush_requestlist feature for unbound-control.

unbound-control status shows if root forwarding is in use.

Added forward command for unbound control to change forwarders to use on the fly.

Added contrib/update-itar.sh This script is similar to update-anchor.sh, and updates from the IANA ITAR repository. You can provide your own PGP key and trust repo, or can use the builtin. The program uses wget and gpg to work.

Support spaces and backslashes in configure default paths

register and deregister util programs for unbound.exe into the windows service control manager. Works on XP and with Vista UAC.

unbound can work as a service on windows, for the registry settings and default program location and so on, see the windows manual.

Added contrib/unbound_cacti for statistics support in cacti, contributed by Dmitriy Demidov.

domain-insecure: "example.com" statement added. Sets domain insecure regardless of chain of trust DSs or DLVs. The inverse of a trust-anchor.

use _beginthreadex() when available (performs stack alignment on mingw)

added launchd plist example file for MacOSX to contrib.

reworked configure scripts to be neater.

python contribution from Zdenek Vasicek and Marek Vavrusa. (Sponsored by cz.nic for 'summer of code' development). This contains support to use libunbound from python code. And support to create unbound modules written in python that perform custom processing of queries. The code is disabled by default and needs to be enabled by passing options to configure. Installs the following files: /usr/lib/python2.x/site-packages/ unboundmodule.py unbound.py and _unbound.so*. The script examples are not installed. Sphinx docs can be built with make doc (if sphinx-build is available).

new libunbound calls to manage local data more easily

read /dev/random before chroot

suppress errors when trying to contact authority servers that gave ipv6 AAAA records for their nameservers with ipv4 mapped contents. Still tries to do so, higher verbosity shows the error.

Fix #___231___/bugs-script/show_bug.cgi?id=231___: Added unbound-checkconf -o option, that prints that value from config file. Useful for scripting in management scripts and the like.

Bug Fixes

fix for threadsafety in solaris thr_key_create() in tests.

fixes for porting the python code to BSD and Darwin

fix for openssl-1.0.0beta, use of STRING #define, libdl linking.

Fix reentrant in minievent handler for unix. Could have resulted in spurious event callbacks.

fix munin plugin, perform cleanup of stale lockfiles.

Fix for removal of RSASHA256_NSEC3 protonumber from ldns. Also new rsasha512 (interim) algorithm number.

Detect FreeBSD jail without ipv6 addresses assigned.

Fixed a bug that caused messages to be stored in the cache too long. Hard to trigger, but NXDOMAINs for nameservers or CNAME targets have been more vulnerable to the TTL miscalculation bug.

fixed bug in unbound-control flush_zone where it would not flush every message in the target domain. This especially impacted NXDOMAIN messages which could remain in the cache regardless.

Fixup so no non-absolute rpaths are added.

Fixup validation of RRSIG queries, they are let through.

fix util/configlexer.c and solaris -std=c99 flag.

deprecation test for daemon(3) (on MacOSX).

module-config entries order is important. Documented.

Fix for and test for unknown algorithms in a trust anchor definition. Trust anchors with no supported algos are ignored. This means a (higher)DS or DLV entry for them could succeed, and otherwise they are treated as insecure.

Added tests, unknown algorithms become insecure. fallback works.

fixed so queries do not fail on opportunistic target queries.

munin plugin fix benign locking error printout.

fixup --export-symbols to be -export-symbls for libtool. This should fix extraneous symbols exported from libunbound. Thanks to Ondrej Sury and Robert Edmonds for finding it.

document FAQ entry on stub/forward zones and default blocking.

Remove fwrite warning on Ubuntu

Added more cycle detection. Also for target queries.

Fixup bug where during deletion of the mesh queries the callbacks that were reentrant caused assertion failures. Keep the mesh in a reentrant safe state. Affected libunbound, reload of server, on quit and flush_requestlist.

documented that unbound-host reads no config file by default.

slightly nicer memory management in iter-fwd code.

small refactor of stats clearing.

fixup EOL in include directive (reported by Paul Wouters).

config parser changed. Gives some syntax errors closer to where they occurred. Does not enforce a space after keyword anymore. Does not allow literal newlines inside quoted strings anymore.

detect event_base_new() in libevent-1.4.1 and later and use it.

MacOSX Leopard cleaner text output from configure.

change in libunbound API: ub_cancel can return an error, that the async_id did not exist, or that it was already delivered. The result could have been delivered just before the cancel routine managed to acquire the lock, so a caller may get the result at the same time they call cancel. For this case, ub_cancel tries to return an error code. Fixes race condition in use of ub_cancel() libunbound function.

Fixup assertion failure (thanks to Brett Carr).

Fix detection of no ipv6 on XP (with different error code).

Fixup a crash-on-exit which was triggered by a very long queue.

Fixed bug that could cause a crash if root prime failed when there were message backlogs.

Unbound 1.2.1

Features

negative caching for failed queries. Queries that failed (because the entire domain is down) are cached for a very short time (seconds), this lowers the load generated by the failed queries. If the failure is local, like out of memory, it is not cached.

stop resolving AAAAs promiscuously when they are in the negative cache, together with the negative caching feature (just above) this dampens the spikiness of the requestlist size.

the TTL comparison for the cache used different comparisons, causing many cache responses that used the iterator and validator state machines unnecessarily. Fixed.

Fixed occasional SERVFAIL response when EDNS traffic is dropped for a domain. Set retry from 4 to 5 so that EDNS drop retry is part of the first query resolve attempt, and cached error does not stop EDNS fallback.

removed debug prints in code that protects against bad referrals.

fix bug where unbound could crash using libevent 1.3 and older.

more quiet about ipv6 network failures, i.e. when ipv6 is not available (network unreachable). Debug still printed on high verbosity.

Unbound 1.2.0

Features

extended statistics has a number of ipv6 queries counter. contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.

SElinux policy files in contrib/selinux for the unbound daemon, by Paul Wouters and Adam Tkac.

Bug Fixes

The long standing bug with libevent use is fixed. It turns out to be a race condition in the calls to libevent. The builtin mini-event did not have a problem being called like this, but libevent and libev usage is now fixed. Libevent 1.1 is reported to still give problems, but 1.4.5 and 1.4.8 seem fine.

Certain packets could cause an assertion failure. Resulting in a denial-of-service vector if the server was compiled with --enable-debug (assertions enabled). This is fixed.

fixed bug reported by Duane Wessels: error in DLV lookup, would make some zones that had correct DLV keys as insecure.

fix lame marking. security fix that resolves denial of service that could be triggered by an unusual configuration. Thanks to Mark Zealey for reporting.

no more race condition in makefile during built with high -j inside included libldns version.

iana portlist updated to most recent, avoids allocated ports.

L root server AAAA record added to builtin root hints.

removed possible race condition in unit test for race conditions.

fixup reported problem with transparent local-zone data where queries with different type could get nxdomain. Now queries with a different name get resolved normally, with different type get a correct NOERROR/NODATA answer.

HINFO no longer downcased for validation, making unbound compatible with bind and ldns.

fix reading included config files when chrooted. Give full path names for include files. Relative path names work if the start dir equals the working dir.

fix libunbound message transport when no packet buffer is available.

fixup getaddrinfo failure handling for remote control port.

fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/

ldns tarball updated with 1.4.1rc for DLV unit test.

fixup BSD port for infra host storage. It hashed wrongly.

follow ldns rc makedist name generation.

snapshot version uses _ not - to help rpm distinguish the version number.

do not reopen syslog to avoid dev/log dependency. This makes chroot environments easier.

fixed: unbound checkconf checks if key files exist if remote control is enabled. Also fixed NULL printf when not chrooted.

Fix problem reported by Jaco Engelbrecht where unbound-control stats freezes up unbound if this was compiled without threading, and was using multiple processes.

test for remote control with interprocess communication.

created command distribution mechanism so that remote control commands other than 'stats' work on all processes in a nonthreaded compiled version. dump/load cache work, on the first process.

fixup remote control local_data addition memory corruption bug.

configure complains when --without-ssl is given, fixed.

blacklisted servers are polled at a low rate (1%) to see if they come back up. But not if there is some other working server.

documented that the user of the server daemon needs read privileges on the keys and certificates generated by unbound-control-setup. This is different per system or distribution, usually, running the script under the same username as the server uses suffices. i.e. sudo -u unbound unbound-control-setup

unbound-control-setup.sh removes read/write permissions other from the keys it creates (as suggested by Dmitriy Demidov).

Unbound 1.1.0

Features

DLV support

contrib update-anchor.sh neatly updates keys for DLV or root or others and only restarts the nameserver when keys have changed. exits 0 when a restart is needed, other values if not. So, update-anchor.sh -d mydir && /etc/rc.d/unbound restart can restart unbound exactly when needed. Use -b for BIND mode.

Negative caching for NSEC, NSEC3 for DLV lookups, as well as for securely insecure delegations.

Filter out overreaching NSEC records

dev/log(syslog) opened before chroot

use setresuid/setresgid, more secure.

logfile message classification as notice, info, debug.

harden-referral-path option implements draft-wijngaards-dnsext-resolver-side-mitigation-00, protects against many Kaminsky variations. Default is off, because of added load it generates, and experimental status.

disallow nonrecursive queries for cache snooping by default. You can allow it using access-control: subnet allow_snoop. The defaults do allow access to authoritative data without RD bit.

DoS resistance implementation. Half of queries run-to-completion. Other half are a lifo where old entries are overwritten if 200 msec old.

Block DNS rebinding attacks. This disallows domains from the public internet from pretending to have internet addresses in your own netblock. Use the private-address and private-domain statements (see unbound.conf(5) man page for details). We may consider turning this on by default for rfc1918 (local subnet) addresses.

if server selection is faced with only bad choices, it will attempt to get more options to be fetched.

changed bogus-ttl default value from 900 to 60 seconds. In anticipation that operator caused failures are more likely than actual attacks at this time. And thus repeated validation helps the operators get the problem fixed sooner. It makes validation failures go away sooner (60 seconds after the zone is fixed). Also it is likely to try different nameserver targets every minute, so that if a zone is bad on one server but not another, it is likely to pick up the 'correct' one after a couple minutes, and if the TTL is big enough that solves validation for the zone.

do not query bogus nameservers. It is as-if nameservers that have the NS or A or AAAA record bogus are listed as donotquery.

CFLAGS are picked up by configure from the environment.

silenced EHOSTDOWN, verbosity 2 and higher show it.

configure check for ldns version 1.4.0 or later

Fix for problem reported on mailing list, If a delegation point has no A but only AAAA and do-ip6 is no, resolution would fail. Fixed to ask for the A and AAAA records. It has to ask for both always, so that it can fail quietly, from TLD perspective, when a zone is only reachable on one transport.

fixed, pidfile can be outside chroot. openlog is done before chroot and drop permissions. logfile is created with correct permissions again. Some errors are not written to logfile (pidfile writing, forking), and these are only visible by using the -d commandline flag.

Fix update-anchor.sh to work both in BSD shell and bash.

Fix so unsigned additionals are not marked bogus, they are left unchecked, since signatures may have fallen off due to message size. Unchecked items are removed from the additional just like bogus is for that message. Defers validation for those rrsets.

Fix assertion fail on bogus key handling

Fix so dnssec lameness detection works on first query at trust apex.

Fix compilation without pthreads on linux.

builtin iana assigned portlist updated

ldns snapshot inside source tarball updated to 1.4.0

Fix NSEC_AT_APEX classification for short typemaps.

Fix nonblocking and timeouts on TCP sockets

Fix for multiple simultaneous timeout back offs. Could cause trouble for forwarders

Unbound 1.0.1

Features

This version features bugfixes to compile on various distributions, some options necessary to assist packaging and distribution of unbound, a couple of fixes for looking up corner cases (badly operated domains), and a cleanup of code for config file reading.

pidfile, rundir, and chroot configure options. Also the example.conf and manual pages get the configured defaults. You can use: (or accept the defaults to /usr/local/etc/unbound/) --with-conf-file=filename --with-pidfile=filename --with-run-dir=path --with-chroot-dir=path

-r option for unbound-host, read resolv.conf.

--disable-shared not passed along to ldns included with unbound. Fixed so that configure parameters are passed to the subdir configure script. Fixed that ./libtool is used always, you can still override manually with ./configure libtool=mylibtool or set $libtool in the environment.